不使用第三方库的PHP中的JWT(JSON Web令牌).怎么签? [英] JWT (JSON Web Token) in PHP without using 3rd-party library. How to sign?

问题描述

有一些库可用于在PHP中实现JSON Web令牌(JWT)，例如 php-jwt .我正在编写自己的类，非常小而简单，但是即使我已经确定了为什么我的签名未能通过验证此处试图坚持标准.我已经尝试了几个小时，却被卡住了.请帮忙！

There are a few libraries for implementing JSON Web Tokens (JWT) in PHP, such as php-jwt. I am writing my own, very small and simple class but cannot figure out why my signature fails validation here even though I've tried to stick to the standard. I've been trying for hours and I'm stuck. Please help!

我的代码很简单

//build the headers
$headers = ['alg'=>'HS256','typ'=>'JWT'];
$headers_encoded = base64url_encode(json_encode($headers));

//build the payload
$payload = ['sub'=>'1234567890','name'=>'John Doe', 'admin'=>true];
$payload_encoded = base64url_encode(json_encode($payload));

//build the signature
$key = 'secret';
$signature = hash_hmac('SHA256',"$headers_encoded.$payload_encoded",$key);

//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";
echo $token;

base64url_encode函数:

function base64url_encode($data) {
    return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}

我的标头和有效负载与验证站点的默认JWT完全匹配，但我的签名不匹配，因此我的令牌是标记为无效.这个标准看起来真的很简单，所以我的签名出了什么问题?

My headers and payload perfectly match the validation site's default JWT, but my signature doesn't match so my token is flagged as invalid. This standard seems really straightforward so what's wrong with my signature?

推荐答案

我解决了！我没有意识到签名本身需要使用base64编码.另外，我需要将hash_hmac函数的最后一个可选参数设置为$raw_output=true(请参见文档.简而言之，我需要从原始代码中更改代码:

I solved it! I did not realize that the signature itself needs to be base64 encoded. In addition, I needed to set the last optional parameter of the hash_hmac function to $raw_output=true (see the docs. In short I needed to change my code from the original:

//build the signature
$key = 'secret';
$signature = hash_hmac('SHA256',"$headers_encoded.$payload_encoded",$key);

//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature";

要更正:

//build the signature
$key = 'secret';
$signature = hash_hmac('SHA256',"$headers_encoded.$payload_encoded",$key,true);
$signature_encoded = base64url_encode($signature);

//build and return the token
$token = "$headers_encoded.$payload_encoded.$signature_encoded";
echo $token;

这篇关于不使用第三方库的PHP中的JWT(JSON Web令牌).怎么签?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！